Outsourcing Notification Obligations for Investment Firms: Key Considerations
The notification obligation for outsourcing at securities institutions is a central element of supervisory control and transparency. According to Section 40 of the WpIG in conjunction with Delegated Regulation (EU) 2017/565, you, as a securities institution, are obliged to notify certain outsourcing arrangements to the BaFin and the Deutsche Bundesbank.
✨ 1. What Is a Material Outsourcing?
Outsourcing is considered material if a failure in execution could significantly impair compliance with legal requirements, financial performance, or the continuity of services.
Not considered material are, for example:
-
Staff training,
-
Consulting,
-
Simple IT services,
-
Cleaning or security services.
The decisive factor is always the individual risk assessment.
✍️ 2. Your Duties as a Securities Institution
a) Risk Management & Outsourcing Register
You must implement an effective risk management system that identifies and assesses outsourcing risks.
A comprehensive outsourcing register must be maintained – including both material and non-material outsourcing.
b) Notification and Reporting Obligations
You must report:
-
Intention to enter into a material outsourcing,
-
Execution of a material outsourcing,
-
Material changes,
-
Serious incidents.
When and how to notify?
-
Via the BaFin MVP portal
-
Using web form, XML upload or web service
📄 3. Requirements for Outsourcing Agreements
A good contract is essential:
-
A legal representative in Germany must be named for outsourcing to third countries.
-
Clearly defined rights and obligations such as:
-
Right to issue instructions
-
Rights to information and audit
-
Termination rights
-
Provisions for data protection and retention
-
⚠️ 4. Supervisory Powers of BaFin
BaFin may intervene when:
-
Proper service delivery is at risk,
-
Risks are not adequately managed,
-
Audit rights are restricted.
BaFin can issue instructions to you and the service provider.
🚨 5. Other Organisational Requirements
You remain fully responsible! Therefore, you need:
-
Ongoing monitoring of the service provider
-
Contingency plans and exit strategies
-
Regular risk analyses and reviews
📝 6. Overview of Notification Obligations
Reportable Event | Timing of Notification | Reporting Channel |
---|---|---|
Intention of material outsourcing | Before implementation | BaFin MVP Portal |
Execution of the outsourcing | Immediately after contract execution | BaFin MVP Portal |
Material change | After the change has occurred | BaFin MVP Portal |
Serious incident | Immediately upon becoming aware | MVP Portal / Excel Form |
🌐 7. Special Requirements for Third Countries
If outsourcing to third countries:
-
Cooperation agreements with local supervisory authorities may be required
-
German legal representative must be designated
-
Data protection and access controls must be documented
📊 8. Content of Notification According to WpI-AnzV § 13
Your notification must contain detailed information, including:
-
Reference number, contract term, termination periods
-
Processes involved, data categories, cloud models and locations
-
Materiality assessment, risk evaluation, budget
-
Sub-outsourcers, substitutability, contingency planning
In the case of material changes, many of these details must be resubmitted.
🚫 9. What Constitutes a Serious Incident?
Examples include:
-
IT outages that disrupt service delivery for extended periods
-
Legal violations, especially breaches of data protection laws
-
Lack of cooperation with supervisory authorities
-
Reputational damage or looming insolvency of the provider
In such cases, you must inform the authorities immediately.
🔹 Conclusion: What You Must Consider
-
Only material outsourcing arrangements are subject to notification
-
Use the BaFin MVP Portal for all reports
-
Maintain a complete outsourcing register with up-to-date risk assessments
-
Draft precise contracts, especially for third-country outsourcing
-
Plan for emergencies and exit scenarios
-
Ensure all documentation is audit-ready and respond promptly to BaFin inquiries